Completing the Exploit

Exploit Development

Completing our egghunter exploit

This is a standard SEH overflow. We can notice some of our user input a “pop, pop, ret” away from us on the stack. An interesting thing to notice from the screen shot is the fact that we sent a 2000 byte payload – however it seems that when we return to our buffer, it gets truncated. We have around 80 bytes of space for our shellcode (marked in blue). We use the Immunity !safeseh function to locate unprotected dll’s from which a return address can be found.

Structured Exception Handler (SEH) overflow | Metasploit Unleashed

We copy over the DLL and search for a POP POP RET instruction combination using msfpescan.

Once again, we generate our exploit file, attach Audacity to the debugger and import the malicious file. This time, the SEH should be overwritten with our address – the one that will lead us to a pop, pop, ret instruction set. We set a breakpoint there, and once again, take the exception with shift + F9 and walk through our pop pop ret with F8.

SEH Chain | Metasploit Unleashed

The short jump takes us over our return address, into our “shellcode buffer”.

Shellcode Egg Hunter | Metasploit Unleashed

Once again, we have very little buffer space for our payload.A quick inspection of the memory reveals that our full buffer length can be found in the heap. Knowing this, we could utilize our initial 80 byte space to execute an egghunter, which would look for and find the secondary payload.